A recent spate of financial malware campaigns targeting Brazilian companies, collectively dubbed Metamorfo, uses “spray and pray” spam tactics to ensnare their victims. Across the various offensives, the bad actors are abusing legitimate, signed binaries to load the malicious code. As the name Metamorfo suggests, the campaigns share much in common – including the use of a multi-stage infection path, the use of a legitimate Windows tool as a side-loader and the use of cloud storage to host the bad code – but with slight, morphing differences.